Enterprise governance, risk, and compliance (GRC) tools have become indispensable to organizations. Maybe you acquired your GRC tool for one initiative such as Sarbanes-Oxley (SOX) or International Standard for Organization (ISO) compliance management.
But they can do so much more. The value is not limited to one function. Don’t underestimate your investment. GRC tools have the ability to handle multiple missions in one integrated platform.
This article is not a call to arms to buy more or different GRC tools. It’s about getting the most out of what, in all likelihood, you have already bought and paid for. And that means thinking broader, more strategically, and holistically.
A good way to start is by asking a few fundamental questions:
Sometimes a particular regulatory compliance requirement needs to be fulfilled, and that is the sweet spot of GRC platforms. Maybe it is GRC requirements around SOX or internal audit or the Statements on Standards for Attestation Engagements (SSAE 16).
For government organizations, the GRC requirement may come from the Federal Information Security Management Act. Hospitals use GRC platforms to address Health Insurance Portability and Accountability Act requirements around patient information and privacy. And these platforms perform superbly, but they are versatile.
GRC platforms reach across domains and even across national boundaries when dealing with best practices provided from the ISO 3100 on risk management and the information technology (IT) and computer security standards from Information Systems Audit and Control Association’s (ISACA) COBIT standard. Companies doing business overseas will also use GRC platforms to document their obligations under the Foreign Corrupt Practices Act, as well as voluntary compliance with the UN Global Compact and the post-9/11 requirements of the Customs-Trade Partnership Against Terrorism.
As you can see, the world is growing in complexity, and it’s being matched by a growing body of rules and regulations. And while all of these regulations, acts, and mandates have specific and unique requirements, the general protocol for managing GRC compliance is fairly similar across all verticals.
The generic concept for GRC platforms is six core functions surrounding one integrated framework, with these functions rolled up and summarized into an executive/program management overview.
Managers must be able to see what is happening, to observe what is going on before they can hope to understand the significance of events, make informed decisions, and take action.
Surprise, unfortunately, is a hallmark of today’s GRC environment. And when it comes to GRC, surprise is not good. In general, GRC platforms make automatic and instantaneously visible what may otherwise drop through the cracks due to human error.
It is probably unnecessary to go into detail with all of the above functions. But documentation is a good one to highlight. So much of GRC rests on having the appropriate documentation available when needed. What are the policies? When were they reviewed? Who signed off on them? Who was involved in the decision? When they were last updated? How were they tested? What reports were made? Where are they? And a critical but generic question: Can we see them?
The odds are that if you currently have a well-managed GRC system, you will be able to answer with ease these and more detailed questions. But is that the case with all your GRC areas, especially those that were not top of mind when the current system was purchased and implemented?
If the answer is not clear, perhaps there is an imbalance, overall, in GRC management. And it can likely be rectified within the scope of your current GRC platform.
Here’s a quick list, not in any particular order, of things to consider when looking at deriving the most from your current GRC platform.
These exercises inform and educate while simultaneously exploring possibilities to achieve economies and incremental gains through previous investments in both technology and process improvement. To illustrate, here are some brief examples, or case studies if you will.
A client was using a popular GRC platform and was satisfied with the results but recognized the need to integrate across the compliance, risk, business continuity, and IT security landscapes. The client also wanted to reengineer the existing applications and processes to take advantage of new features.
The foundational activities included setting up a GRC governance structure, identifying stakeholders, and conducting an educational workshop to show the client the capabilities and potential gains of participating in a GRC integration, developing a road map that showed what could be accomplished in a three-year period.
The benefits included one integrated tool-based platform from which to manage GRC. The increased automation included automatic notifications for reviews as well as a mechanism for escalating unresolved issues. It provided a single repository of information related to the different governance, risk, and compliance processes. It also provided easier linking of information between different processes. Dashboards were used to aggregate process information at various levels, by process level, region, and enterprise.
A client had a complex environment with a number of “divisions” and a number of audit requirements. The client needed to prepare control owners to be “audit ready” for multiple audits such as ISO27001, PCI, FISMA, SOX and SSAE-16. The client also needed to make sure that all core audit requirements were appropriately mapped to control activities with supporting evidence and documentation.
The foundational activities included: setting up a GRC governance structure; designing a consolidated control framework that aligned security policy to compliance requirements; creating a master set of controls to satisfy audit requirements; creating compliance assertion documentation; and a compliance audit preparation training curriculum.
Among other benefits achieved was increased internal audit coverage while reducing the number of controls by 68% in the first year and 30% in the second year.
GRC-specific platforms are not limited to compliance in a single regulatory area. There is life after SOX, and it includes IT security, compliance with privacy regulations, and even fraud and waste in the global supply chain. Benefits are derived from better management of risk and more transparent and complete documentation of policies, processes, and procedures — not to mention a possible net reduction in controls.
GRC tools enable you to think like an innovator. You don’t need to spend more money to get value. It is easier and less risky to build on what you already have.
About the Author
Joe DeVita is a partner with PricewaterhouseCoopers, based in the New York Metro area, and leads the governance, risk and compliance (GRC) technology practice for PwC. Joe works with clients to improve and optimize controls around the financial reporting processes, including business process and IT management controls and IT Security and governance reviews. He also assists clients with application selection, implementation, and optimization of Oracle applications including Oracle E-Business Suite and Oracle GRC Suite.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Joe DeVita is a partner with PricewaterhouseCoopers, based in the New York Metro area, and leads the governance, risk and compliance (GRC) technology practice for PwC. Joe works with clients to improve and optimize controls around the financial reporting processes, including business process and IT management controls and IT Security and governance reviews. He also assists clients with application selection, implementation, and optimization of Oracle applications including Oracle E-Business Suite and Oracle GRC Suite. Joe has more than 21 years of IT development, implementation and project management experience and has worked with many of the firm's key clients, including JP Morgan Chase, BP Amoco, IBM, NIKE and Toyota Motors, working with many key issues surrounding risk management and IT controls, including: